5 files changed, 277 insertions, 56 deletions
diff --git a/util/e6400-flash-unlock/Makefile b/util/e6400-flash-unlock/Makefile
index cf8e7845..41a90482 100644
--- a/util/e6400-flash-unlock/Makefile
+++ b/util/e6400-flash-unlock/Makefile
@@ -3,9 +3,13 @@
 
 CC=cc
 CFLAGS=-Wall -Wextra -Werror -O2 -pedantic
+ifeq ($(shell uname), OpenBSD)
+	CFLAGS += -l$(shell uname -p)
+endif
+SRCS=e6400_flash_unlock.c accessors.c
 
-all: e6400_flash_unlock.c
-	$(CC) $(CFLAGS) e6400_flash_unlock.c -o e6400_flash_unlock
+all: $(SRCS) accessors.h
+	$(CC) $(CFLAGS) $(SRCS) -o e6400_flash_unlock
 
 clean:
 	rm -f e6400_flash_unlock
diff --git a/util/e6400-flash-unlock/README.md b/util/e6400-flash-unlock/README.md
index 410a807a..bc9dd9f9 100644
--- a/util/e6400-flash-unlock/README.md
+++ b/util/e6400-flash-unlock/README.md
@@ -1,13 +1,44 @@
-# Dell Latitude E6400 Internal Flashing
+# Dell Laptop Internal Flashing
 
 This utility allows you to use flashrom's internal programmer to program the
 entire BIOS flash chip from software while still running the original Dell
-BIOS, which normally restricts software writes to the flash chip.
+BIOS, which normally restricts software writes to the flash chip. It seems like
+this works on any Dell laptop that has an EC similar to the SMSC MEC5035 on the
+E6400, which mainly seem to be the Latitude and Precision lines starting from
+around 2008 (E6400 era).
 
 ## TL;DR
 Run `make` to compile the utility, and then run `sudo ./e6400_flash_unlock` and
 follow the directions it outputs.
 
+## Confirmed supported devices
+- Latitude E6400
+- Latitude E6410
+- Latitude E4310
+- Latitude E6430
+- Precision M6800
+
+It is likely that any other Latitude/Precision laptops from the same era as
+devices specifically mentioned in the above list will work as Dell seems to use
+the same ECs in one generation.
+
+## Detailed device specific behavior
+- On GM45 era laptops, the expected behavior is that you will run the utility
+  for the first time, which will tell the EC to set the descriptor override on
+  the next boot. Then you will need to shut down the system, after which the
+  system will automatically boot up. You should then re-run the utility to
+  disable SMM, after which you can run flashrom. Finally, you should run the
+  utility a third time to reenable SMM so that shutdown works properly
+  afterwards.
+- On 1st Generation Intel Core systems such as the E6410 and newer, run the
+  utility and shutdown in the same way as the E6400. However, it seems like the
+  EC no longer automatically boots the system. In this case you should manually
+  power it on. It also seems that the firmware does not set the BIOS Lock bit
+  when the descriptor override is set, making the 2nd run after the reboot
+  technically unnecessary. There is no harm in rerunning it though, as the
+  utility can detect when the flash is unlocked and perform the correct steps
+  as necessary.
+
 ## How it works
 There are several ways the firmware can protect itself from being overwritten.
 One way is the Intel Flash Descriptor (IFD) permissions. On Intel systems, the
diff --git a/util/e6400-flash-unlock/accessors.c b/util/e6400-flash-unlock/accessors.c
new file mode 100644
index 00000000..6fca2817
--- /dev/null
+++ b/util/e6400-flash-unlock/accessors.c
@@ -0,0 +1,91 @@
+/* SPDX-License-Identifier: MIT */
+/* SPDX-FileCopyrightText: 2023 Nicholas Chin */
+
+#if defined(__linux__)
+#include <sys/io.h>
+#endif
+
+#if defined(__OpenBSD__)
+#include <machine/sysarch.h>
+#include <sys/types.h>
+#if defined(__amd64__)
+#include <amd64/pio.h>
+#elif defined(__i386__)
+#include <i386/pio.h>
+#endif /* __i386__ */
+#endif /* __OpenBSD__ */
+
+#include <errno.h>
+
+#include "accessors.h"
+
+uint32_t
+pci_read_32(uint32_t dev, uint8_t reg)
+{
+	sys_outl(PCI_CFG_ADDR, dev | reg);
+	return sys_inl(PCI_CFG_DATA);
+}
+
+void
+pci_write_32(uint32_t dev, uint8_t reg, uint32_t value)
+{
+	sys_outl(PCI_CFG_ADDR, dev | reg);
+	sys_outl(PCI_CFG_DATA, value);
+}
+
+void
+sys_outb(unsigned int port, uint8_t data)
+{
+	#if defined(__linux__)
+	outb(data, port);
+	#endif
+	#if defined(__OpenBSD__)
+	outb(port, data);
+	#endif
+}
+
+void
+sys_outl(unsigned int port, uint32_t data)
+{
+	#if defined(__linux__)
+	outl(data, port);
+	#endif
+	#if defined(__OpenBSD__)
+	outl(port, data);
+	#endif
+}
+
+uint8_t
+sys_inb(unsigned int port)
+{
+	#if defined(__linux__) || defined (__OpenBSD__)
+	return inb(port);
+	#endif
+	return 0;
+}
+
+uint32_t
+sys_inl(unsigned int port)
+{
+	#if defined(__linux__) || defined (__OpenBSD__)
+	return inl(port);
+	#endif
+	return 0;
+}
+
+int
+sys_iopl(int level)
+{
+#if defined(__linux__)
+	return iopl(level);
+#endif
+#if defined(__OpenBSD__)
+#if defined(__i386__)
+	return i386_iopl(level);
+#elif defined(__amd64__)
+	return amd64_iopl(level);
+#endif /* __amd64__ */
+#endif /* __OpenBSD__ */
+	errno = ENOSYS;
+	return -1;
+}
diff --git a/util/e6400-flash-unlock/accessors.h b/util/e6400-flash-unlock/accessors.h
new file mode 100644
index 00000000..a19f2152
--- /dev/null
+++ b/util/e6400-flash-unlock/accessors.h
@@ -0,0 +1,17 @@
+/* SPDX-License-Identifier: MIT */
+/* SPDX-FileCopyrightText: 2023 Nicholas Chin */
+
+#include <stdint.h>
+
+#define PCI_CFG_ADDR 0xcf8
+#define PCI_CFG_DATA 0xcfc
+#define PCI_DEV(bus, dev, func) (1u << 31 | bus << 16 | dev << 11 | func << 8)
+
+uint32_t pci_read_32(uint32_t dev, uint8_t reg);
+void pci_write_32(uint32_t dev, uint8_t reg, uint32_t value);
+
+int sys_iopl(int level);
+void sys_outb(unsigned int port, uint8_t data);
+void sys_outl(unsigned int port, uint32_t data);
+uint8_t sys_inb(unsigned int port);
+uint32_t sys_inl(unsigned int port);
diff --git a/util/e6400-flash-unlock/e6400_flash_unlock.c b/util/e6400-flash-unlock/e6400_flash_unlock.c
index d18970be..174a1c92 100644
--- a/util/e6400-flash-unlock/e6400_flash_unlock.c
+++ b/util/e6400-flash-unlock/e6400_flash_unlock.c
@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: MIT */
 /* SPDX-FileCopyrightText: 2023 Nicholas Chin */
 
-#include <sys/io.h>
 #include <sys/mman.h>
 
 #include <err.h>
@@ -10,67 +9,93 @@
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <unistd.h>
 
-enum
-EC_FDO_CMD {
-	QUERY = 0,
-	SET_OVERRIDE = 2,
-	UNSET_OVERRIDE = 3
-};
+#include "accessors.h"
 
 int get_fdo_status(void);
-void ec_fdo_command(enum EC_FDO_CMD arg);
+int check_lpc_decode(void);
+void ec_set_fdo();
 void write_ec_reg(uint8_t index, uint8_t data);
 void send_ec_cmd(uint8_t cmd);
-void wait_ec(void);
-int get_gbl_smi_en(void);
+int wait_ec(void);
+int check_bios_write_en(void);
 int set_gbl_smi_en(int enable);
+int get_gbl_smi_en(void);
 
 #define EC_INDEX 0x910
 #define EC_DATA 0x911
-#define PMBASE 0x1000
-#define SMI_EN_REG (PMBASE + 0x30)
+#define EC_ENABLE_FDO 2
 
-/* Assume this is the same on all vendor BIOS versions */
-#define RCBA 0xfed18000
+#define LPC_DEV PCI_DEV(0, 0x1f, 0)
 
 #define RCBA_MMIO_LEN 0x4000
+
+/* Register offsets */
 #define SPIBAR 0x3800
 #define HSFS_REG  0x04
+#define SMI_EN_REG 0x30
 
 volatile uint8_t *rcba_mmio;
+uint16_t pmbase;
 
 int
 main(int argc, char *argv[])
 {
-	int devmemfd; (void)argc; (void)argv;
+	int devmemfd;
+	(void)argc;
+	(void)argv;
 
-	if ((ioperm(EC_INDEX, 2, 1) == -1) || (ioperm(SMI_EN_REG, 4, 1) == -1))
+	if (sys_iopl(3) == -1)
 		err(errno, "Could not access IO ports");
 	if ((devmemfd = open("/dev/mem", O_RDONLY)) == -1)
 		err(errno, "/dev/mem");
 
+	/* Read RCBA and PMBASE from the LPC config registers */
+	long int rcba = pci_read_32(LPC_DEV, 0xf0) & 0xffffc000;
+	pmbase = pci_read_32(LPC_DEV, 0x40) & 0xff80;
+
 	/* FDO pin-strap status bit is in RCBA mmio space */
 	rcba_mmio = mmap(0, RCBA_MMIO_LEN, PROT_READ, MAP_SHARED, devmemfd,
-			RCBA);
+			rcba);
 	if (rcba_mmio == MAP_FAILED)
 		err(errno, "Could not map RCBA");
 
-	if (get_fdo_status() == 1) {
-		ec_fdo_command(SET_OVERRIDE);
-		printf("Flash Descriptor Override enabled. Shut down now. The "
-			"EC will auto-boot the system and set the override.\n"
-			"Upon boot, re-run this utility to unlock flash.\n");
-	} else if (get_gbl_smi_en()){
-		set_gbl_smi_en(0);
-		printf("SMIs disabled. Internal flashing should work now.\n"
-			"After flashing, re-run this utility to enable SMIs.\n"
-			"(shutdown is buggy when SMIs are disabled)\n");
-	} else {
-		set_gbl_smi_en(1);
-		printf("SMIs enabled, you can now shutdown the system.\n");
+	if (get_fdo_status() == 1) { /* Descriptor not overridden */
+		if (check_lpc_decode() == -1)
+			err(errno = ECANCELED, "Can't forward I/O to LPC");
+
+		printf("Sending FDO override command to EC:\n");
+		ec_set_fdo();
+		printf("Flash Descriptor Override enabled.\n"
+			"Shut down (don't reboot) now.\n\n"
+			"The EC may auto-boot on some systems; if not then "
+			"manually power on.\n When the system boots rerun "
+			"this utility to finish unlocking.\n");
+	} else if (check_bios_write_en() == 0) {
+		/* SMI locks in place, try disabling SMIs to bypass them */
+		if (set_gbl_smi_en(0)) {
+			printf("SMIs disabled. Internal flashing should work "
+				"now.\n After flashing, re-run this utility "
+				"to enable SMIs.\n (shutdown is buggy when "
+				"SMIs are disabled)\n");
+		} else {
+			err(errno = ECANCELED, "Could not disable SMIs!");
+		}
+	} else { /* SMI locks not in place or bypassed */
+		if (get_gbl_smi_en()) {
+			/* SMIs are still enabled, assume this is an Exx10
+			 * or newer which don't need the SMM bypass */
+			printf("Flash is unlocked.\n"
+				"Internal flashing should work.\n");
+		} else {
+			/* SMIs disabled, assume this is an Exx00 after
+			 * unlocking and flashing */
+			set_gbl_smi_en(1);
+			printf("SMIs enabled.\n"
+				"You can now shutdown the system.\n");
+		}
 	}
-
 	return errno;
 }
 
@@ -80,60 +105,113 @@ get_fdo_status(void)
 	return (*(uint16_t*)(rcba_mmio + SPIBAR + HSFS_REG) >> 13) & 1;
 }
 
-/*
- * arg:
- * 0 = Query EC FDO status - TODO
- * 2 = Enable FDO for next boot
- * 3 = Disable FDO for next boot - TODO
- */
+int
+check_lpc_decode(void)
+{
+	/* Check that at a Generic Decode Range Register is set up to
+	 * forward I/O ports 0x910 and 0x911 over LPC for the EC */
+	int i = 0;
+	int gen_dec_free = -1;
+	for (; i < 4; i++) {
+		uint32_t reg_val = pci_read_32(LPC_DEV, 0x84 + 4*i);
+		uint16_t base_addr = reg_val & 0xfffc;
+		uint16_t mask = ((reg_val >> 16) & 0xfffc) | 0x3;
+
+		/* Bit 0 is the enable for each decode range. If disabled, note
+		 * this register as available to add our own range decode */
+		if ((reg_val & 1) == 0)
+			gen_dec_free = i;
+
+		/* Check if the current range register matches port 0x910.
+		 * 0x911 doesn't need to be checked as the LPC bridge only
+		 * decodes at the dword level, and thus a check is redundant */
+		if ((0x910 & ~mask) == base_addr) {
+			return 0;
+		}
+	}
+
+	/* No matching range found, try setting a range in a free register */
+	if (gen_dec_free != -1) {
+		/* Set up an I/O decode range from 0x910-0x913 */
+		pci_write_32(LPC_DEV, 0x84 + 4 * gen_dec_free, 0x911);
+		return 0;
+	} else {
+		return -1;
+	}
+}
+
 void
-ec_fdo_command(enum EC_FDO_CMD arg)
+ec_set_fdo()
 {
-	write_ec_reg(0x12, arg);
+	/* EC FDO command arguments for reference:
+	 * 0 = Query EC FDO status
+	 * 2 = Enable FDO for next boot
+	 * 3 = Disable FDO for next boot */
+	write_ec_reg(0x12, EC_ENABLE_FDO);
 	send_ec_cmd(0xb8);
 }
 
 void
 write_ec_reg(uint8_t index, uint8_t data)
 {
-	outb(index, EC_INDEX);
-	outb(data, EC_DATA);
+	sys_outb(EC_INDEX, index);
+	sys_outb(EC_DATA, data);
 }
 
 void
 send_ec_cmd(uint8_t cmd)
 {
-	outb(0, EC_INDEX);
-	outb(cmd, EC_DATA);
-	wait_ec();
+	sys_outb(EC_INDEX, 0);
+	sys_outb(EC_DATA, cmd);
+	if (wait_ec() == -1)
+		err(errno = ECANCELED, "Timeout while waiting for EC!");
 }
 
-void
+int
 wait_ec(void)
 {
 	uint8_t busy;
+	int timeout = 1000;
 	do {
-		outb(0, EC_INDEX);
-		busy = inb(EC_DATA);
-	} while (busy); 
+		sys_outb(EC_INDEX, 0);
+		busy = sys_inb(EC_DATA);
+		timeout--;
+		usleep(1000);
+	} while (busy && timeout > 0);
+	return timeout > 0 ? 0 : -1;
 }
 
 int
-get_gbl_smi_en(void)
+check_bios_write_en(void)
 {
-	return inl(SMI_EN_REG) & 1;
+	uint8_t bios_cntl = pci_read_32(LPC_DEV, 0xdc) & 0xff;
+	/* Bit 5 = SMM BIOS Write Protect Disable (SMM_BWP)
+	 * Bit 1 = BIOS Lock Enable (BLE)
+	 * If both are 0, then there's no write protection */
+	if ((bios_cntl & 0x22) == 0)
+		return 1;
+
+	/* SMM protection is enabled, but try enabling writes
+	 * anyway in case the vendor SMM code doesn't reset it */
+	pci_write_32(LPC_DEV, 0xdc, bios_cntl | 0x1);
+	return pci_read_32(LPC_DEV, 0xdc) & 0x1;
 }
 
 int
 set_gbl_smi_en(int enable)
 {
-	uint32_t smi_en = inl(SMI_EN_REG);	
+	uint32_t smi_en = sys_inl(pmbase + SMI_EN_REG);
 	if (enable) {
 		smi_en |= 1;
 	} else {
 		smi_en &= ~1;
 	}
-	outl(smi_en, SMI_EN_REG);
+	sys_outl(pmbase + SMI_EN_REG, smi_en);
 	return (get_gbl_smi_en() == enable);
 }
 
+int
+get_gbl_smi_en(void)
+{
+	return sys_inl(pmbase + SMI_EN_REG) & 1;
+}